Twitter bug shared location data for some iOS users

Twitter said "a trusted partner" received some iOS users' geo-location data.

How to avoid being locked (forever) out of your Twitter account If your Twitter is hacked, it could be gone permanently and Twitter may not help. Here is one user's sad story and how you can protect yourself.

Twitter disclosed today a bug in its platform that impacted the privacy of some its iOS app's users.

"We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances," Twitter said.

The company said the bug only occurred on its iOS app where users added a second Twitter account on their phones. If they allowed Twitter access to precise location data in one account, then that setting was applied to both accounts managed via the iOS app.

This meant the app sent precise location data to Twitter, which then made it available to "a trusted partner during an advertising process known as real-time bidding," even for accounts users didn't agree to share such info.

However, Twitter said they were the only party who received precise location data, and not the advertiser, which was provided "fuzzed" geo-location data that was scrambled to reduce its accuracy to 5km squared boxes.

"We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process," the company said today on its help site.

Twitter said it already notified impacted users.

The fourth Twitter bug

This is Twitter's fourth bug in its platform disclosed in the past year.

In September 2018, Twitter said an API bug inadvertently shared some users' private messages with developers of apps they did not authorize to receive this data.

In December 2018, Twitter said a suspected nation-state hacking group exploited a vulnerability in its support form system to exfiltrate data from its platform.

In January 2019, a bug in Twitter's Android app accidentally made private tweets publicly accessible to everyone, including non-followers and search engines.

More data breach coverage: